---
title: Prebuilt rule components
description: Understand prebuilt rule tags, data sources, investigation guides, and how to transition to custom rules.
url: https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/prebuilt-rule-components
products:
  - Elastic Cloud Serverless
  - Elastic Security
applies_to:
  - Serverless Security projects: Generally available
  - Elastic Stack: Generally available
---

# Prebuilt rule components
Elastic prebuilt rules are designed to detect common threats across your environment. This page explains how prebuilt rules are organized, what data they need, and how to use the investigation guides that accompany them.

## Prebuilt rule tags

Each prebuilt rule includes several tags identifying the rule's purpose, detection method, associated resources, and other information to help categorize your rules. These tags are category-value pairs; for example, `OS: Windows` indicates rules designed for Windows endpoints. Categories include:

| Tag category  | Description                                                                                                                                                                               |
|---------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `Data Source` | The application, cloud provider, data shipper, or Elastic integration providing data for the rule.                                                                                        |
| `Domain`      | A general category of data source types (such as cloud, endpoint, or network).                                                                                                            |
| `OS`          | The host operating system.                                                                                                                                                                |
| `Resources`   | Additional rule resources such as investigation guides.                                                                                                                                   |
| `Rule Type`   | Identifies if the rule depends on specialized resources (such as machine learning jobs or threat intelligence indicators), or if it's a higher-order rule built from other rules' alerts. |
| `Tactic`      | MITRE ATT&CK tactics that the rule addresses.                                                                                                                                             |
| `Threat`      | Specific threats the rule detects (such as Cobalt Strike or BPFDoor).                                                                                                                     |
| `Use Case`    | The type of activity the rule detects and its purpose.                                                                                                                                    |


### Use case tags

The `Use Case` tag category has the following values:

| Use case                      | Description                                                                                                                                              |
|-------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|
| `Active Directory Monitoring` | Detects changes to Active Directory objects such as user accounts, groups, and group policies that could indicate privilege escalation or persistence.   |
| `Asset Visibility`            | Tracks changes to hosts, devices, and other assets to identify unauthorized modifications or new devices appearing on the network.                       |
| `Configuration Audit`         | Identifies security-relevant configuration changes that could weaken defenses, such as disabled security controls or modified audit policies.            |
| `Guided Onboarding`           | Example rule used for Elastic Security's guided onboarding tour.                                                                                         |
| `Identity and Access Audit`   | Monitors identity and access management (IAM) activity such as permission changes, role assignments, and authentication policy modifications.            |
| `Log Auditing`                | Detects tampering with log configurations or storage, such as clearing event logs or disabling audit logging, which attackers use to cover their tracks. |
| `Network Security Monitoring` | Monitors network security configurations such as firewall rules, proxy settings, and DNS changes that could indicate compromise or policy violations.    |
| `Threat Detection`            | Identifies malicious behaviors, attack techniques, and indicators of compromise across endpoints, networks, and cloud environments.                      |
| `Vulnerability`               | Detects active exploitation of known vulnerabilities (CVEs) in your environment.                                                                         |


## Prebuilt rule data sources

Each prebuilt rule queries specific index patterns, which determine the data the rule searches at runtime. You can see a rule's index patterns on its details page under **Definition**.
To help you set up the right data sources, rule details pages include:
<definitions>
  <definition term="Related integrations">
    [Elastic integrations](https://docs.elastic.co/en/integrations) that can provide compatible data. You don't need to install all listed integrations—installing any integration that matches your environment is typically sufficient. If a rule requires multiple integrations, the setup guide specifies which ones. Some rules also work with data from legacy beats (such as Filebeat or Winlogbeat) without requiring a Fleet integration. This field also displays each integration's installation status and includes links for installing and configuring the listed integrations.
  </definition>
  <definition term="Required fields">
    Data fields the rule expects to find. Most rules run even if fields are missing, but may not generate expected alerts. EQL rules have stricter validation and might fail if required fields are missing.
  </definition>
  <definition term="Setup guide">
    Step-by-step guidance for configuring the rule's data requirements.
  </definition>
</definitions>


### Check integration status from the Rules table

You can check rules' related integrations in the **Installed Rules** and **Rule Monitoring** tables. Select the **integrations** badge to display the related integrations in a popup. The badge shows how many of the rule's related integrations are currently installed and enabled—for example, `1/2` means one of two related integrations is installed and actively collecting data.
An integration is counted as enabled only if it has been added to an agent policy and that policy is deployed to at least one agent. Installing an integration package without adding it to a policy does not increment the enabled count.
<admonition title="Requirements for viewing related integration status">
  To view related integration status in the Rules table, your role needs at least `Read` privileges for the following features under Management:
  - Integrations
  - Fleet
  - Saved Objects
  Without these privileges, the integrations badge may not appear or may not reflect accurate installation status.
</admonition>

<tip>
  You can hide the **integrations** badge in the Rules tables by turning off the `securitySolution:showRelatedIntegrations` [advanced setting](/elastic/docs-builder/docs/3016/solutions/security/get-started/configure-advanced-settings#show-related-integrations).
</tip>


## Prebuilt rule investigation guides

Many prebuilt rules include investigation guides—Markdown documents that help analysts triage, analyze, and respond to alerts. A good investigation guide reduces mean time to respond by giving analysts the context and queries they need without leaving the alert details flyout.

### Find a rule's investigation guide

1. Open an alert generated by the rule.
2. In the alert details flyout, go to the **Investigation** section on the **Overview** tab.
3. If the rule has an investigation guide, select **Show investigation guide** to open it in the details panel.

You can also view investigation guides from the rule's details page. Find **Detection rules (SIEM)** in the navigation menu, then select the rule name.

### What investigation guides include

Prebuilt rule investigation guides typically contain:
- **Context**: Background on the threat or technique the rule detects.
- **Triage steps**: How to determine if the alert is a true positive.
- **Investigation queries**: Pre-built queries to gather additional context. Some guides include interactive Timeline buttons.
- **Response guidance**: Actions to take if the alert is confirmed as a true positive.

<note>
  You cannot edit investigation guides for prebuilt rules. To customize a prebuilt rule's guide, [duplicate the rule](/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/customize-prebuilt-rules#duplicate-prebuilt-rules) first, then edit the duplicate's investigation guide.
</note>


### Write investigation guides for custom rules

When you create custom rules, you can write your own investigation guides using Markdown with interactive elements like Timeline queries and Osquery buttons. Refer to [Write investigation guides](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/write-investigation-guides) for syntax and best practices.

## Build custom rules

Prebuilt rules cover common threats, but your environment has unique risks. When you need detection logic tailored to your infrastructure, applications, or threat model, refer to [Author rules](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/author-rules) for guidance on selecting a rule type, writing queries, and configuring rule settings.